South Korea🇰🇷 KR7 malware familiesExploits CVEs in the wild

Darkhotel

Also known asapt_c_06APT-C-60Dark HotelDarkhotelDUBNIUMEgobotFallout TeamNemimPALADINPurple PygmySHADOW CRANETapaouxTEMPLARTieOnJoeZigzag Hail

DarkHotel is a threat actor also tracked as Tapaoux and associated in the provided content with aliases including Dubnium, Zigzag Hail, Shadow Crane, Purple Pygmy, Paladin, Nemim, Fallout Team, Templar, Tieonjoe, EgoBot, APT-C-06, and APT-C-60. The content describes it as a sophisticated, likely South Korea-linked nation-state actor; Microsoft maps Dark Hotel/Tapaoux to Zigzag Hail, and Kaspersky reported indications the group may have originated from South Korea. Kaspersky stated the group had been active since at least 2007. The actor is described as targeting high-profile executives, government agencies, NGOs, defense-related entities, and luxury hotel guests in Asia, with primary targeting in North Korea, Japan, and India, as well as the U.S. defense industrial base and important executives worldwide. A notable campaign involved compromising luxury hotel networks in Asia to deliver fake Adobe updates to selected guests, with malware staged on hotel servers before a target arrived and removed after departure. The content also states the group used a two-pronged approach consisting of broad peer-to-peer infections and more selective spearphishing and hotel-based operations. Observed tradecraft in the provided content includes spearphishing emails with malicious RAR and .LNK attachments; malware disguised as a Secure Shell (SSH) tool; persistence via Windows Run Registry keys; dropping an mspaint.lnk shortcut that launches a shell script to download and execute a file; collection of running processes; collection of hostname, OS version, service pack version, processor architecture, IP address, and network adapter information; use of forged or stolen code-signing certificates to sign malware, backdoors, and downloaders; obfuscation using RC4, XOR, and RSA; just-in-time string decryption to evade sandbox detection; and process and memory injection behavior including WriteProcessMemory and Process32NextW noted in sandbox analysis. Kaspersky also reported use of zero-day exploits in spearphishing, a kernel-mode keystroke logger, and signed malware made to appear legitimate. The content further states that the NSA Territorial Dispute research mapped Sig25 to Dark Hotel/Tapaoux and suggests the NSA may have tracked DarkHotel tools in 2011, before broader public discovery.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Government & Administration
Non-Governmental Organizations
Military

Where they target

Geographies tied to known operations.

🇰🇵 North Korea
🇯🇵 Japan
🇮🇳 India
🇺🇸 United States

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

43 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics59 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1589

Gather Victim Identity Information

TA0001

Initial Access

4 techniques

T1189×2

Drive-by Compromise

T1195

Supply Chain Compromise

T1200

Hardware Additions

T1566

Phishing

T1566.001×12

Spearphishing Attachment

T1566.002×2

Spearphishing Link

TA0002

Execution

4 techniques

T1059×3

Command and Scripting Interpreter

T1059.001×3

PowerShell

T1059.003

Windows Command Shell

T1059.005

Visual Basic

T1129

Shared Modules

T1203×4

Exploitation for Client Execution

T1204×3

User Execution

T1204.002×6

Malicious File

TA0003

Persistence

2 techniques

T1546

Event Triggered Execution

T1546.015

Component Object Model Hijacking

T1547

Boot or Logon Autostart Execution

T1547.001×4

Registry Run Keys / Startup Folder

TA0004

Privilege Escalation

4 techniques

T1055

Process Injection

T1068

Exploitation for Privilege Escalation

T1546

Event Triggered Execution

T1546.015

Component Object Model Hijacking

T1547

Boot or Logon Autostart Execution

T1547.001×4

Registry Run Keys / Startup Folder

TA0005

Stealth

7 techniques

T1027×6

Obfuscated Files or Information

T1027.013×2

Encrypted/Encoded File

T1036

Masquerading

T1036.008

Masquerade File Type

T1055

Process Injection

T1140

Deobfuscate/Decode Files or Information

T1218×2

System Binary Proxy Execution

T1218.014

MMC

T1497×3

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1564

Hide Artifacts

T1564.006

Run Virtual Instance

TA0112

Defense Impairment

1 technique

T1553

Subvert Trust Controls

T1553.002×2

Code Signing

TA0006

Credential Access

2 techniques

T1056

Input Capture

T1056.001

Keylogging

T1557

Adversary-in-the-Middle

TA0007

Discovery

8 techniques

T1016×6

System Network Configuration Discovery

T1018

Remote System Discovery

T1046

Network Service Discovery

T1057

Process Discovery

T1082×7

System Information Discovery

T1083×4

File and Directory Discovery

T1124

System Time Discovery

T1497×3

Virtualization/Sandbox Evasion

T1497.001

System Checks

TA0008

Lateral Movement

1 technique

T1021

Remote Services

TA0009

Collection

2 techniques

T1056

Input Capture

T1056.001

Keylogging

T1557

Adversary-in-the-Middle

TA0011

Command and Control

3 techniques

T1071

Application Layer Protocol

T1071.001

Web Protocols

T1102

Web Service

T1105×4

Ingress Tool Transfer

ARSENAL

Associated malware families

7 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

SpyGlace"APT-C-60 Targets Japan: New SpyGlace Malware Uses VHDX LNK and GitHub Tasking for Persistent Espionage"4Mar 18, 2026

Downloader1“The created WebClassUser.dat (hereafter referred to as “Downloader1”)… gets persisted and executed through COM hijacking.”2Mar 18, 2026

Downloader2“DownLoader1 then retrieves that file from GitHub… Based on the URL in the retrieved file, DownLoader2 is downloaded and executed… Downloader2 can download and execute SpyGlace and its loader.”2Mar 18, 2026

DarkhotelDarkhotel malware has employed just-in-time decryption of strings to evade sandbox detection.1Mar 18, 2026

KONNI“...connection... between DarkHotel and the Konni/Nokki set of activity described by other vendors.”1Mar 18, 2026

2 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

5 CVEs this actor has used in observed campaigns. 5 of them exploited in the wild.

CVE-2015-8651Integer Overflow RCE in Adobe Flash Player and Adobe AIRIn the wildEvidence2

Darkhotel has exploited Adobe Flash vulnerability CVE-2015-8651 for execution.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

CVE-2018-8174Windows VBScript Engine Remote Code Execution VulnerabilityIn the wildEvidence1

May 2018: a new wave of targeted attacks abusing CVE-2018-8174 (this exploit has been associated with the DarkHotel APT group, as described on Securelist), with diplomatic, defense, manufacturing, military and government targets in Asia and Eastern Europe;

CVE-2020-0968Internet Explorer Scripting Engine Memory Corruption RCEIn the wildEvidence1

At the end of June 2020, the operators stepped up their game by using a vulnerability in Internet Explorer, CVE-2020-0968, which had been patched in April 2020. Instead of delivering an archive with a LNK file, the C&C server was delivering an RTF file that, once opened, downloaded an HTML file exploiting the aforementioned vulnerability.

CVE-2024-7262Arbitrary DLL Load in Kingsoft WPS Office promecefpluginhost.exeIn the wildEvidence1

Public reporting indicates the group exploited a remote code execution vulnerability in the Windows version of a productivity suite (CVE-2024-7262) to drop SpyGlace.

IOCS

Observables

101 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

101 IOCsView more in app

Domains

43 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+35

hash.sha256

33 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+25

uri

14 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+6

hash.md5

7 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

hash.sha1

2 total

•••••••••••••••••

ip.v4

2 total

•••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

r136a1 blogNews

May 7, 2026

Where Have All the Complex Windows Malware and Their Analyses Gone?

Referenced as part of the era of sophisticated malware campaigns that received deep public technical analysis.

confiant blogNews

Apr 14, 2026

Internet Explorer CVE-2019-1367 In the wild Exploitation - prelude

Exploited CVE-2019-1367 in the wild and was later linked to the 'Double Star' attacks using Internet Explorer and Firefox 0-days against targets connected to North Korea and Japanese infrastructure.

splunk researchNews

Apr 13, 2026

Detection: Windows Binary Execution from an Archive | Splunk Security Content

Listed as a threat actor associated with the malicious file execution technique detected by this analytic.

splunk researchNews

Apr 13, 2026

Detection: Windows File Association Modification via Ftype | Splunk Security Content

Listed as a threat actor associated with Windows Command Shell execution behavior relevant to this detection.

+188 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping43

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal7

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs5

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables101

Domains, IPs, and hashes tied to this actor, refreshed continuously.